Open 10110111 opened 9 years ago
To get bases (and possibly limits) of the remaining segments, we could try the following:
mprotect
all the memory but one page (which will hold code we inject) to make inaccessibleeax
0
, try to do mov eax, [SREG:OFFSET]
SEGV_MAPERR
or SEGV_ACCERR
, read si_addr
SREG_base=si_addr-OFFSET
This should be a menu item of a segment register view, since it seems it'll be time consuming, also might play badly with signals which the debuggee might get while doing this search.
Limits can be found using segfault with si_code!=SEGV_MAPERR && si_code!=SEGV_ACCERR
.
Note that we don't have to re-retrieve the LDT on each trap: it's enough to catch syscalls with eax==__NR_modify_ldt
and ebx==1||ebx==0x11
, which would try to change an LDT entry.
For 32 bit debuggees, try to read LDT (by injecting
modify_ldt(READLDT=0)
syscall) to be able to show segment bases in more cases.